A few policy changes I had to make

Daniel J Walsh dwalsh at redhat.com
Sat Nov 13 13:05:51 UTC 2004 

Rodrigo Damazio wrote:

>       Hello. I started playing with SELinux on FC2, and recently moved 
> to FC3, and I must say it's much better now, with the targeted policy. 
> Congrats on this.
>       I still had to change a few things in my policies, though. 
> Following is a collection of the avc errors justifying my changes. I'm 
> not experienced with SElinux yet, so I may be doing something 
> wrong...please let me know if these changes are correct or not. Also, 
> the unlink allow for httpd_t is because, for some reason, when I try 
> to remove a file from within PHP, it uses httpd_t instead of 
> httpd_sys_script_t . I would also like a rule(which I'm not sure how 
> to write) to allow PHP programs to execute external programs, since I 
> have a script which receives an uploaded file, does a lot of 
> processing with it through external programs, and stores it in the 
> database - when I run that, it gives me avc execute errors trying to 
> run bash and the other utilities.
>
> Apache:
> Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc:  
> denied  { connectto } for  pid=2522 exe=/usr/sbin/httpd 
> path=/tmp/.s.PGSQL.5432 scontext=user_u:system_r:httpd_t 
> tcontext=user_u:system_r:unconfined_t tclass=unix_stream_socket
>
> NTPd:
> Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc:  
> denied  { create } for  pid=2293 exe=/usr/sbin/ntpd 
> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
> tclass=netlink_route_socket
> Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:  
> denied  { bind } for  pid=2293 exe=/usr/sbin/ntpd 
> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
> tclass=netlink_route_socket
> Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:  
> denied  { getattr } for  pid=2293 exe=/usr/sbin/ntpd 
> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
> tclass=netlink_route_socket
> Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc:  
> denied  { write } for  pid=2293 exe=/usr/sbin/ntpd 
> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
> tclass=netlink_route_socket
> Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc:  
> denied  { net_admin } for  pid=2293 exe=/usr/sbin/ntpd capability=12 
> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
> tclass=capability
> Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc:  
> denied  { nlmsg_read } for  pid=2293 exe=/usr/sbin/ntpd 
> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
> tclass=netlink_route_socket
> Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc:  
> denied  { read } for  pid=2293 exe=/usr/sbin/ntpd 
> scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
> tclass=netlink_route_socket
>
> DHCPd:
> Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc:  
> denied  { create } for  pid=10002 exe=/usr/sbin/dhcpd 
> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
> tclass=netlink_route_socket
> Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc:  
> denied  { bind } for  pid=10002 exe=/usr/sbin/dhcpd 
> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
> tclass=netlink_route_socket
> Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc:  
> denied  { getattr } for  pid=10002 exe=/usr/sbin/dhcpd 
> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
> tclass=netlink_route_socket
> Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc:  
> denied  { write } for  pid=10002 exe=/usr/sbin/dhcpd 
> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
> tclass=netlink_route_socket
> Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc:  
> denied  { net_admin } for  pid=10002 exe=/usr/sbin/dhcpd capability=12 
> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
> tclass=capability
> Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc:  
> denied  { nlmsg_read } for  pid=10002 exe=/usr/sbin/dhcpd 
> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
> tclass=netlink_route_socket
> Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc:  
> denied  { read } for  pid=10002 exe=/usr/sbin/dhcpd 
> scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
> tclass=netlink_route_socket
> Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc:  
> denied  { unlink } for  pid=10008 exe=/usr/sbin/dhcpd 
> name=dhcpd.leases~ dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t 
> tcontext=system_u:object_r:file_t tclass=file
>
> named:
> Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc:  
> denied  { create } for  pid=10183 exe=/usr/sbin/named 
> scontext=root:system_r:named_t tcontext=root:system_r:named_t 
> tclass=netlink_route_socket
> Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc:  
> denied  { bind } for  pid=10183 exe=/usr/sbin/named 
> scontext=root:system_r:named_t tcontext=root:system_r:named_t 
> tclass=netlink_route_socket
> Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc:  
> denied  { getattr } for  pid=10183 exe=/usr/sbin/named 
> scontext=root:system_r:named_t tcontext=root:system_r:named_t 
> tclass=netlink_route_socket
> Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc:  
> denied  { write } for  pid=10183 exe=/usr/sbin/named 
> scontext=root:system_r:named_t tcontext=root:system_r:named_t 
> tclass=netlink_route_socket
> Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc:  
> denied  { nlmsg_read } for  pid=10183 exe=/usr/sbin/named 
> scontext=root:system_r:named_t tcontext=root:system_r:named_t 
> tclass=netlink_route_socket
> Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc:  
> denied  { read } for  pid=10183 exe=/usr/sbin/named 
> scontext=root:system_r:named_t tcontext=root:system_r:named_t 
> tclass=netlink_route_socket
>
> Thanks,
> Rodrigo
>
>------------------------------------------------------------------------
>
>diff -ru src.orig/policy/domains/program/apache.te src/policy/domains/program/apache.te
>--- src.orig/policy/domains/program/apache.te	2004-11-01 19:36:22.000000000 -0200
>+++ src/policy/domains/program/apache.te	2004-11-12 23:54:36.127952796 -0200
>@@ -285,6 +285,8 @@
> # Allow httpd to work with postgresql
> #
> allow httpd_t tmp_t:sock_file rw_file_perms;
>+allow httpd_t tmp_t:unix_stream_socket rw_file_perms;
>+allow httpd_t unconfined_t:unix_stream_socket rw_file_perms;
> ') dnl targeted policy
>  
>
This would allow httpd to talk to any unix_stream_socket (XWindows for 
example.) 
I am going to try to add postgresql.te (As we have with mysql.te) to 
targeted policy to see if it fixes this
and does not cause other problems.

> 
> #
>diff -ru src.orig/policy/domains/program/dhcpd.te src/policy/domains/program/dhcpd.te
>--- src.orig/policy/domains/program/dhcpd.te	2004-11-01 19:36:22.000000000 -0200
>+++ src/policy/domains/program/dhcpd.te	2004-11-12 23:38:18.000000000 -0200
>@@ -33,13 +33,14 @@
> can_ypbind(dhcpd_t)
> allow dhcpd_t self:unix_dgram_socket create_socket_perms;
> allow dhcpd_t self:unix_stream_socket create_socket_perms;
>+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
> 
>  
>
Added, but have never seen this before.

> allow dhcpd_t var_lib_t:dir search;
> 
> allow dhcpd_t devtty_t:chr_file { read write };
> 
> # Use capabilities
>-allow dhcpd_t dhcpd_t:capability { net_raw net_bind_service };
>+allow dhcpd_t dhcpd_t:capability { net_raw net_admin net_bind_service };
> 
>  
>
net_admin is a strong capability  Allows you to bring up and down 
network interfaces, iptable rules. 
Do you have any idea what it is trying to do that would cause this?  
Could you try to
dontaudit it and see what happens.
dontaudit dhcpd_t self:capability net_admin;

> # Allow access to the dhcpd file types
> type dhcp_state_t, file_type, sysadmfile;
>diff -ru src.orig/policy/domains/program/named.te src/policy/domains/program/named.te
>--- src.orig/policy/domains/program/named.te	2004-11-01 19:36:22.000000000 -0200
>+++ src/policy/domains/program/named.te	2004-11-12 23:42:38.000000000 -0200
>@@ -60,6 +60,7 @@
> # Bind to the named port.
> allow named_t dns_port_t:udp_socket name_bind;
> allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
>+allow named_t self:netlink_route_socket r_netlink_socket_perms;
> 
>  
>
Added. but again have not seen this.

> bool named_write_master_zones false;
> 
>diff -ru src.orig/policy/domains/program/ntpd.te src/policy/domains/program/ntpd.te
>--- src.orig/policy/domains/program/ntpd.te	2004-11-01 19:36:22.000000000 -0200
>+++ src/policy/domains/program/ntpd.te	2004-11-12 23:33:18.000000000 -0200
>@@ -22,7 +22,7 @@
> # for SSP
> allow ntpd_t urandom_device_t:chr_file read;
> 
>-allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
>+allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock sys_chroot net_admin };
>  
>
This should definitely not be allowed.  I can't see why ntpd would want 
to modify your network environment.

> allow ntpd_t self:process { setcap setsched };
> # ntpdate wants sys_nice
> dontaudit ntpd_t self:capability { fsetid sys_nice };
>@@ -39,6 +39,7 @@
> allow ntpd_t ntp_port_t:udp_socket name_bind;
> allow ntpd_t self:unix_dgram_socket create_socket_perms;
> allow ntpd_t self:unix_stream_socket create_socket_perms;
>+allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
> 
>  
>
Same as previous comments about netlink_sockets

> # so the start script can change firewall entries
> allow initrc_t net_conf_t:file { getattr read ioctl };
>diff -ru src.orig/policy/macros/program/apache_macros.te src/policy/macros/program/apache_macros.te
>--- src.orig/policy/macros/program/apache_macros.te	2004-11-01 19:36:22.000000000 -0200
>+++ src/policy/macros/program/apache_macros.te	2004-11-12 23:01:49.000000000 -0200
>@@ -106,6 +106,7 @@
> ############################################################################
> r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
> create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
>+allow httpd_t { httpd_$1_script_rw_t }:{ file dir lnk_file } { unlink };
> ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
> 
> if (httpd_enable_cgi) && (httpd_unified) {
>  
>
>  
>
The update policy has the following which would cover this case.

r_dir_file(httpd_t, httpd_sys_script_ro_t)
create_dir_file(httpd_t, httpd_sys_script_rw_t)
ra_dir_file(httpd_t, httpd_sys_script_ra_t)

>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list